Browsed byMonth: October 2017

Whenever a news story breaks about information security (usually a radically bad FAILURE thereof) then “security researchers” or “consultants” get trotted out by the media to give expert soundbites. David Kennedy was a keynote speaker at the recently-concluded Rochester Security Summit, so he’ll do for my example:

David is a security researcher – which means he’s a hacker. No, I did not just accuse him of a crime. He’s a wonderful guy and I would totally invite him to dinner.

The media have abused the the term “hacker” for years now. The original meaning of the word was simply, “One who is expert at programming and solving problems with a computer.” That expertise, together with an insatiable curiosity driving one to exercise it, is what genuinely makes a hacker.

Cyber-criminals may or may not be hackers. For example, if they wish to crack their way into some company in order to plunder its money or sensitive info, they might exercise their own high levels of technical skill. But they might hire technical capability, and not exercise it themselves. Or they might be what we call script-kiddies, people who find easy step-by-step recipes for creating digital mayhem, and use them to good effect against poorly secured targets. They might not even be criminals: they might be state-sponsored, and thus their actions are legal. At least under their nation’s laws.

But hacking is a set of problem-solving approaches, and a toolbox of techniques. It’s a way to accomplish a goal, and the goal’s goodness or badness is not relevant. Hacking is morally neutral. If, and only if, the goal of the hacking is a crime, then a hacker also happens to be a criminal.

Security researchers (like David) are employed to find ways that our information systems can be exploited. They might do malware reverse-engineering, or vulnerability discovery and analysis, or refinisng social engineering techniques. Most of our companies don’t employ them: it’s too specialized. Large providers and specialty firms (Verizon, FireEye) provide researcher talent, and we consume the output in the form of reports and alerts.

Independent researchers also work as consultants. They may help companies figure out what happened after an attack, or they may routinely provide bug reports to manufacturers. They may work on Red/Blue team exercises, where attacks are simulated and defenses are tested. Without question, Security Researchers are hackers. If they aren’t, they cannot function in that job.

Where? To the Rochester Security Summit of course! It kicks off tomorrow for two days of security geeking-out. I am looking forward to it plenty. My talk is on Friday at 2PM about full and responsible disclosure of bugs, bug bounties and so on.

Advertising supports a lot of the content you enjoy on the Internet. The economics of it should be simple. An advertiser pays a certain amount to get a commercial message in front of many readers or viewers. Some percentage of those viewers make a purchase. When enough revenue comes back to the advertiser, the ad is a good investment: returning more in margin to the business than it cost to produce and place. In practice it’s a lot more complex than I state here, but the backbone of advertising remains just that simple.

This simple idea has recently started to create problems of the sort that show up in the Safer Computing inbox. Advertisers realized that a digital advertising message can be a lot more than a picture with words or a short film to watch. This means you can experience web pages with ads that are mini-games, ads that follow you around a page as you scroll, ads that follow you from page to page as you browse, and more.

You may also be aware that ads make and store all sorts of inferences about you — inferences they gather from what goes on in your browser and on the rest of your computer. These inferred personal profiles are scooped up by data brokers and packaged to be resold to other marketers. That’s supposed to be done in enough volume to make each individual profile impossible to identify. But recent research has shown that, with so many different data points being collected, working backward from a large “anonymized” data set to reliably identifying individuals is far easier than anyone suspected. Yet, without enough different data points, the package is not attractive to marketers. It will not find a buyer.

Another very disturbing trend in advertising is the enormous number of computer virus and Trojan infections that the ad networks now make possible. Remember that the ads are more than just pictures or films, they have all kinds of sparkly interactive features. They dance, they sing, they explore the bleeding of edge of being so annoying that you want to throw the computer out the window and go for a walk instead. And how do they accomplish these things?

Every one of those ads is a small program that you have half-consciously invited to run on your computer. Your browser was instructed to bring these programs along with the content you wanted to see. The intent of these programs appears to be delivery of a commercial message — but other functions are often hidden there. Viruses delivered within web ads have infected hundreds of millions of computers around the world with everything from botnet spam clients to ransomware. The websites that deliver these ads don’t often know what they are sending out; they simply allow ad networks to deliver whatever they like within broad guidelines and accept the payments for what is passed along. The networks that aggregate and place these ads do not have the resources to check out all the ads they deliver, from what may be thousands of sources. What’s worse, they don’t have the incentive. With enough layers of middlemen, there’s nowhere for liability to land.

With all that to consider, I decided a while ago that I would block ads everywhere I could. There are two counter-arguments to blocking ads I did consider. One is, how will I support the websites whose content I am enjoying? Simple: I actually become a paid member or supporter of any sites I read frequently enough. Some sites I visit for the first time, say they won’t serve me content unless I disable my ad-blocker. Fair enough, I say, and click away to find a similar item elsewhere.

The other counter-argument is, how will I learn of cool new products or services I might want to try? Since I was never one to find such things through ads, I consider this a small loss if any. But the truth is, I check out new things that are any larger than tiny impulse buys at recommendation sites like Wirecutter, Sweet Home or Consumer Reports. I prefer unbiased comparative reviews to advertising content, for decisions to purchase.

My current ad-blocker of choice is uBlock Origin by Raymond Hill. It’s a very low-profile browser add-on for Firefox, Chrome or Opera. I say “current” because my choice has changed a few times recently. Other ad-blocker providers have gradually been seduced by money and become ad networks in themselves, serving what they call “safe” or “white-listed” ads. Their users have had varying levels of choice about this, from “a little” to “none.” With uBlock Origin, so far so good. If things change, I will add an updated recommendation in this space.